Adoption of the Software-Defined Perimeter (SDP) Architecture for Infrastructure as a Service

IF 1.7 Q2 Engineering

Canadian Journal of Electrical and Computer Engineering-Revue Canadienne De Genie Electrique et Informatique Pub Date : 2020-01-01 DOI:10.1109/CJECE.2020.3005316

Jaspreet Singh, A. Refaey, J. Koilpillai

{"title":"Adoption of the Software-Defined Perimeter (SDP) Architecture for Infrastructure as a Service","authors":"Jaspreet Singh, A. Refaey, J. Koilpillai","doi":"10.1109/CJECE.2020.3005316","DOIUrl":null,"url":null,"abstract":"The use of cloud Infrastructure as a Service (IaaS) for enterprise applications is at an all-time high and is charted to continue growing to approximately 73% by 2022. IaaS suffers from several security concerns, such as hypervisor hijacking, virtual machine (VM) hopping, and account hijacking. With such a large percentage of enterprise traffic on the cloud, a strong security framework is demanded. To secure IaaS, this article proposes a software-defined perimeter (SDP) as a solution. SDP provides a logical perimeter to restrict access to services with a layer of authentication and authorization to allow. Only authorized clients may connect to services hidden by SDP gateways. SDP is implemented and verified in an AWS cloud environment. Port scanning is used to verify SDP behavior as well. The results demonstrate the SDP’s ability to “darken” services behind a gateway. The performance of SDP against a denial-of-service (DoS) attack is demonstrated in a local environment. The test results demonstrate that SDP is indeed capable of resisting DoS attacks while allowing legitimate user traffic even under the duration of the attack. These results lead to a discussion on future research for SDP in IaaS.","PeriodicalId":55287,"journal":{"name":"Canadian Journal of Electrical and Computer Engineering-Revue Canadienne De Genie Electrique et Informatique","volume":null,"pages":null},"PeriodicalIF":1.7000,"publicationDate":"2020-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1109/CJECE.2020.3005316","citationCount":"19","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Canadian Journal of Electrical and Computer Engineering-Revue Canadienne De Genie Electrique et Informatique","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CJECE.2020.3005316","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 19

Abstract

The use of cloud Infrastructure as a Service (IaaS) for enterprise applications is at an all-time high and is charted to continue growing to approximately 73% by 2022. IaaS suffers from several security concerns, such as hypervisor hijacking, virtual machine (VM) hopping, and account hijacking. With such a large percentage of enterprise traffic on the cloud, a strong security framework is demanded. To secure IaaS, this article proposes a software-defined perimeter (SDP) as a solution. SDP provides a logical perimeter to restrict access to services with a layer of authentication and authorization to allow. Only authorized clients may connect to services hidden by SDP gateways. SDP is implemented and verified in an AWS cloud environment. Port scanning is used to verify SDP behavior as well. The results demonstrate the SDP’s ability to “darken” services behind a gateway. The performance of SDP against a denial-of-service (DoS) attack is demonstrated in a local environment. The test results demonstrate that SDP is indeed capable of resisting DoS attacks while allowing legitimate user traffic even under the duration of the attack. These results lead to a discussion on future research for SDP in IaaS.

查看原文本刊更多论文

为基础设施即服务采用软件定义周界(SDP)体系结构

云基础设施即服务(IaaS)在企业应用程序中的使用正处于历史最高水平，预计到2022年将继续增长至约73%。IaaS存在几个安全问题，例如管理程序劫持、虚拟机(VM)跳转和帐户劫持。由于云上有如此大比例的企业流量，因此需要一个强大的安全框架。为了保护IaaS，本文提出了一个软件定义边界(SDP)作为解决方案。SDP提供了一个逻辑边界，通过一层身份验证和授权来限制对服务的访问。只有经过授权的客户端才能连接到SDP网关隐藏的业务。在AWS云环境中实现并验证SDP。端口扫描也用于验证SDP行为。结果证明了SDP在网关后面“暗化”服务的能力。在本地环境中演示了SDP抵御拒绝服务攻击的性能。测试结果表明，SDP确实能够抵抗DoS攻击，即使在攻击期间也允许合法用户的流量。这些结果引发了对IaaS中SDP未来研究的讨论。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Canadian Journal of Electrical and Computer Engineering-Revue Canadienne De Genie Electrique et Informatique 工程技术-工程：电子与电气

自引率

0.00%

发文量

期刊介绍： The Canadian Journal of Electrical and Computer Engineering (ISSN-0840-8688), issued quarterly, has been publishing high-quality refereed scientific papers in all areas of electrical and computer engineering since 1976